COMP 4580 Computer Security Web Security II Dr. Noman Mohammed Winter 2019 Including slides from: Dan Boneh, David Brumley, Ian Goldberg, Jonathan Katz, John Mitchell, Vitaly Shmatikov and many others.
Outline Cookies Web Application Security Command Injection SQL Injection 2
Cookies Used to store state on user s machine Browser POST HTTP Header: Set-cookie: NAME=VALUE ; Server domain = (who can read) ; expires = (when expires) ; secure = (only over SSL) Browser POST Cookie: NAME = VALUE Server HTTP is stateless protocol; cookies add state 3
What Are Cookies Used For? Authentication Use the cookie to prove that the client previously authenticated correctly Personalization Recognize the user from a previous visit Tracking Follow the user from site to site; learn his/her browsing behavior, preferences, and so on 4
Setting/Deleting Cookies by Server Browser if expires=null: this session only GET HTTP Header: Set-cookie: NAME=VALUE ; domain = (when to send) ; path = (when to send) Server secure = (only send over SSL); expires = (when expires) ; HttpOnly scope Delete cookie by setting expires to date in past Default scope is domain and path of setting URL 5
Scope Setting Rules Domain: any domain-suffix of URL-hostname, except TLD example: host = login.site.com allowed domains login.site.com.site.com disallowed domains user.site.com othersite.com.com login.site.com can set cookies for all of.site.com but not for another site or TLD path: can be set to anything 6
Example cookie 1 name = userid value = test domain = login.site.com path = / secure cookie 2 name = userid value = test123 domain =.site.com path = / secure distinct cookies Cookies are identified by (name,domain,path) Both cookies stored in browser s cookie jar; both are in scope of login.site.com 7
Reading Cookies on Server Browser GET //URL-domain/URL-path Cookie: NAME = VALUE Server Browser sends all cookies in URL scope: cookie-domain is domain-suffix of URL-domain, and cookie-path is prefix of URL-path, and [protocol=https if cookie is secure ] Goal: server only sees cookies in its scope 8
Examples both set by login.site.com cookie 1 name = userid value = u1 domain = login.site.com path = / secure cookie 2 name = userid value = u2 domain =.site.com path = / non-secure http://checkout.site.com/ http://login.site.com/ https://login.site.com/ cookie: userid=u2 cookie: userid=u2 cookie: userid=u1; userid=u2 (arbitrary order) 9
Client Side Read/Write Setting a cookie in Javascript: document.cookie = name=value; expires= ; Reading a cookie: alert(document.cookie) prints string containing all cookies available for document based on (domain, path) Deleting a cookie: document.cookie = name=; expires= Thu, 01-Jan-70 document.cookie often used to customize page in Javascript 10
httponly Cookies Browser GET HTTP Header: Set-cookie: NAME=VALUE ; httponly Server Cookie sent over HTTP(s), but not accessible to scripts cannot be read via document.cookie Helps prevent cookie theft via XSS but does not stop most other risks of XSS bugs 11
Viewing/Deleting Cookies in Browser 12
Cookies have no integrity!! User can change and delete cookie values!! Edit cookie file Modify Cookie header Silly example: shopping cart software Set-cookie: shopping-cart-total = 150 ($) User edits cookie file (cookie poisoning): Cookie: shopping-cart-total = 15 ($) Similar to problem with hidden fields <INPUT TYPE= hidden NAME=price VALUE= 150 > 13 13
Solution: Cryptographic Checksums Goal: data integrity Requires secret key k unknown to browser Generate tag: T F(k, value) Browser Set-Cookie: NAME= value T Server k Cookie: NAME = value T? Verify tag: T = F(k, value) value should also contain data to prevent cookie replay and 14 swap
Outline Cookies Web Application Security Command Injection SQL Injection 15
Reported Web Vulnerabilities Data from aggregator and validator of NVD-reported vulnerabilities 16
Three Top Web Site Vulnerabilities SQL Injection Browser sends malicious input to server Bad input checking leads to malicious SQL query CSRF Cross-site request forgery Bad web site sends browser request to good web site, using credentials of an innocent victim XSS Cross-site scripting Bad web site sends innocent victim a script that steals information from an honest web site 17
Outline Cookies Web Application Security Command Injection SQL Injection 18
Typical Web Application Design Runs on a Web server or application server Takes input from Web users (via Web server) Interacts with back-end databases and third parties Prepares and outputs results for users Dynamically generated HTML pages Content from many different sources, often including users themselves n Blogs, social networks, photo-sharing websites 19
Dynamic Web Application Browser GET / HTTP/1.0 HTTP/1.1 200 OK index.php Web server Database server 20
PHP: Hypertext Preprocessor Server scripting language with C-like syntax Can intermingle static HTML and code <input value=<?php echo $myvalue;?>> Can embed variables in double-quote strings $user = world ; echo Hello $user! ; or $user = world ; echo Hello. $user.! ; 21
Command Injection in PHP http://victim.com/copy.php?name=username copy.php includes Supplied by the user! User calls system( cp temp.dat $name.dat ) http://victim.com/copy.php?name= a; rm * copy.php executes system( cp temp.dat a; rm * ); 22
Injection Injection is a general problem: Typically, caused when data and code share the same channel For exmaple, the code is cp and the filename the data n But ; allows attacker to start a new command 23
Outline Cookies Web Application Security Command Injection SQL Injection 24
SQL Widely used database query language Fetch a attribute SELECT PersonID FROM Person WHERE Username= Alice Query syntax (mostly) independent of vendor 25
Database Queries with PHP Sample PHP $recipient = $_POST[ recipient ]; $sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $rs = $db->executequery($sql); Problem What if recipient is malicious string that changes the meaning of the query? 26
SQL Injection: Basic Idea Attacker 1 post malicious form Victim server 3 receive data from DB 2 unintended query This is an input validation vulnerability Unsanitized user input in SQL query to back- end database changes the meaning of query Specific case of command injection Victim SQL DB 27
Exploits of a Mom Lets see how this attack works 28
SQL Injection Example 29
Normal Login Web Browser (Client) Enter Username & Password Web Server SELECT * FROM Users WHERE user='me' AND pwd='1234' DB 30
Bad Input Suppose user = ' or 1=1 -- (URL encoded) Then scripts does: SELECT WHERE user= ' ' or 1=1 -- The -- causes rest of line to be ignored Now the login succeeds The bad news: easy login to many sites this way 31
Even Worse 32
Even Worse Suppose user = ; DROP TABLE Users -- Then script does: SELECT WHERE user= ; DROP TABLE Users Deletes user table Similarly: attacker can add users, reset pwds, etc. 33
SQL Injection Example View pizza order history:<br> <form method="post" action="..."> Month <select> <option name="month" value="1"> Jan</option>... <option name="month" value="12"> Dec</option> </select> <p> <input type=submit name=submit value=view> </form> 34
SQL Injection Example Normal SQL Query SELECT pizza, toppings, quantity, order_day FROM orders WHERE userid=4123 AND order_month=10 Attack Malicious Query For order_month parameter, attacker could input <option name="month" 0 OR 1=1 value= 0 OR 1=1"> Dec</option> WHERE userid=4123 AND order_month=0 OR 1=1 WHERE condition is always true! Gives attacker access to other users private data! 35
SQL Injection Example All User Data Compromised 36
CardSystems Attack (June 2005) CardSystems was a major credit card processing company Put out of business by a SQL injection attack Credit card numbers stored unencrypted Data on 263,000 accounts stolen 43 million identities exposed 37
Attack on Microsoft IIS (April 2008) 38
Preventing SQL Injection Input validation Blacklisting n Apostrophes, semicolons, percent symbols, hyphens, underscores, n Any character that has special meanings Whitelisting n Blacklisting bad characters doesn t work n Forget to filter out some characters n Could prevent valid input (e.g., last name O Brien) n Allow well-defined set of safe values: [A-Za-z0-9]* [0-1][0-9] n Valid input set defined through reg. expressions 39
Preventing SQL Injection Escaping Quotes For valid string inputs use escape characters to prevent the quote becoming part of the query n Convert into \ Different databases have different rules for escaping 40
Recap SQL Injection Bad input checking allows malicious SQL query Known defenses address problem effectively 41